From ae17e7ef3d511696b9ae4824b2c445a7bcd5f8fb Mon Sep 17 00:00:00 2001
From: brooke <brooke@myco.systems>
Date: Tue, 29 Apr 2025 12:13:37 -0400
Subject: [PATCH] update

---
 .env.sample        | 16 ++++-----
 README.md          |  3 +-
 abra.sh            |  1 +
 compose.smtp.yml   | 15 ++++++++
 compose.yml        | 43 +++++++++++++++++------
 entrypoint.sh.tmpl | 86 +++++++++++++++++++++++++++++++++++++++++++++-
 6 files changed, 142 insertions(+), 22 deletions(-)
 create mode 100644 abra.sh
 create mode 100644 compose.smtp.yml

diff --git a/.env.sample b/.env.sample
index a273972..10f4c7e 100644
--- a/.env.sample
+++ b/.env.sample
@@ -2,28 +2,24 @@ TYPE=borgwarehouse
 
 DOMAIN=borgwarehouse.example.com
 
-## Domain aliases
-#EXTRA_DOMAINS=', `www.borgwarehouse.example.com`'
-
 LETS_ENCRYPT_ENV=production
+SECRET_NEXTAUTH_SECRET_VERSION=v1
+COMPOSE_FILE="compose.yml"
 
 ## Required variables section ##
 
-# Hostname and URL
-NEXTAUTH_URL=https://your.domain.com
-
-# Secrects
-NEXTAUTH_SECRET=your-secret
-CRONJOB_KEY=your-other-secret
-
 # data folders (volume mounts)
 # set this variable if you have a dedicated share/mount on the server that can hold your borg repos
 # the folder must be owned by 1001:1001
 # BORG_REPOSITORY_PATH=./repos
 
+## Optional ##
+
 # SMTP server settings
 #MAIL_SMTP_FROM=
 #MAIL_SMTP_HOST=
 #MAIL_SMTP_PORT=
 #MAIL_SMTP_LOGIN=
 #MAIL_REJECT_SELFSIGNED_TLS=true
+#SECRET_SMTP_SECRET_VERSION=v1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
\ No newline at end of file
diff --git a/README.md b/README.md
index 0d42de1..3b06c5a 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**: 0
+* **Status**: wip
 * **Image**: [`borgwarehouse`](https://hub.docker.com/r/borgwarehouse), 4, upstream
 * **Healthcheck**: No
 * **Backups**: No
@@ -17,6 +17,7 @@
 
 ## Quick start
 
+* Deploy traefik & uncomment the section `## BorgWarehouse SSH`
 * `abra app new borgwarehouse --secrets`
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..8069c2e
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
\ No newline at end of file
diff --git a/compose.smtp.yml b/compose.smtp.yml
new file mode 100644
index 0000000..2163c79
--- /dev/null
+++ b/compose.smtp.yml
@@ -0,0 +1,15 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - nextauth_secret
+      - smtp_password
+    environment:
+      - MAIL_SMTP_PWD_FILE="/run/secrets/smtp_password"
+
+secrets:
+  smtp_password:
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_SECRET_VERSION}
+    external: true
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index 6c8dd08..0a0448f 100644
--- a/compose.yml
+++ b/compose.yml
@@ -4,37 +4,60 @@ version: "3.8"
 services:
   app:
     image: borgwarehouse/borgwarehouse:v3.0.0
-    user: "1001:1001"
+    configs:
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 0555
+    entrypoint: /custom-entrypoint.sh
+    secrets:
+      - nextauth_secret
     environment:
       - WEB_SERVER_PORT=3000
       - SSH_SERVER_PORT=2002
+      - NEXTAUTH_URL=https://${DOMAIN}
       - FQDN=${DOMAIN}
-      - MAIL_SMTP_PWD_FILE="/run/secrets/smtp_password"
+      - NEXTAUTH_SECRET_FILE=/run/secrets/nextauth_secret
     volumes:
-      - config:/home/borgwarehouse/app/config
-      - sshkey:/home/borgwarehouse/.ssh
+      - configs:/home/borgwarehouse/app/config
+      - ssh:/home/borgwarehouse/.ssh
+      - tmp:/home/borgwarehouse/tmp
+      - logs:/home/borgwarehouse/logs
       - sshhost:/etc/ssh
       - ${BORG_REPOSITORY_PATH:-repos}:/home/borgwarehouse/repos
-      - tmp:/home/borgwarehouse/tmp
-      - log:/home/borgwarehouse/logs
+    networks:
+      - proxy
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.${STACK_NAME}-ssh.entrypoints=borgwarehouse-ssh"
+        - "traefik.tcp.services.${STACK_NAME}-ssh.loadbalancer.server.port=2002"
         - "coop-cloud.${STACK_NAME}.version=0.1.0+v3.0.0"
 networks:
   proxy:
     external: true
 
+secrets:
+  nextauth_secret:
+    name: ${STACK_NAME}_nextauth_secret_${SECRET_NEXTAUTH_SECRET_VERSION}
+    external: true
+
 volumes:
-  config:
-  sshkey:
+  logs:
   sshhost:
   repos:
+  configs:
+  ssh:
   tmp:
-  log:
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang  
\ No newline at end of file
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 6f071c4..9158096 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -24,4 +24,88 @@ file_env() {
    unset "$fileVar"
 }
 
-file_env "MAIL_SMTP_PWD"
\ No newline at end of file
+file_env "MAIL_SMTP_PWD"
+file_env "NEXTAUTH_SECRET"
+
+SSH_DIR="/home/borgwarehouse/.ssh"
+AUTHORIZED_KEYS_FILE="$SSH_DIR/authorized_keys"
+REPOS_DIR="/home/borgwarehouse/repos"
+
+print_green() {
+  echo -e "\e[92m$1\e[0m";
+}
+print_red() { 
+  echo -e "\e[91m$1\e[0m";
+}
+
+init_ssh_server() {
+  if [ -z "$(ls -A /etc/ssh)" ]; then
+    print_green "/etc/ssh is empty, generating SSH host keys..."
+    ssh-keygen -A
+    cp /home/borgwarehouse/moduli /etc/ssh/
+  fi
+  if [ ! -f "/etc/ssh/sshd_config" ]; then
+    print_green "sshd_config not found in your volume, copying the default one..."
+    cp /home/borgwarehouse/app/sshd_config /etc/ssh/
+  fi
+}
+
+check_ssh_directory() {
+  if [ ! -d "$SSH_DIR" ]; then
+    print_red "The .ssh directory does not exist, you need to mount it as docker volume."
+    exit 1
+  else 
+    chmod 700 "$SSH_DIR"
+  fi
+}
+
+create_authorized_keys_file() {
+  if [ ! -f "$AUTHORIZED_KEYS_FILE" ]; then
+    print_green "The authorized_keys file does not exist, creating..."
+    touch "$AUTHORIZED_KEYS_FILE"
+  fi
+    chmod 600 "$AUTHORIZED_KEYS_FILE"
+}
+
+check_repos_directory() {
+  if [ ! -d "$REPOS_DIR" ]; then
+    print_red "The repos directory does not exist, you need to mount it as docker volume."
+    exit 2
+  else 
+    chmod 700 "$REPOS_DIR"
+  fi
+}
+
+get_SSH_fingerprints() {
+  print_green "Getting SSH fingerprints..."
+  RSA_FINGERPRINT=$(ssh-keygen -lf /etc/ssh/ssh_host_rsa_key | awk '{print $2}')
+  ED25519_FINGERPRINT=$(ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key | awk '{print $2}')
+  ECDSA_FINGERPRINT=$(ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key | awk '{print $2}')
+  export SSH_SERVER_FINGERPRINT_RSA="$RSA_FINGERPRINT"
+  export SSH_SERVER_FINGERPRINT_ED25519="$ED25519_FINGERPRINT"
+  export SSH_SERVER_FINGERPRINT_ECDSA="$ECDSA_FINGERPRINT"
+}
+
+check_env() {
+  if [ -z "$CRONJOB_KEY" ]; then
+    CRONJOB_KEY=$(openssl rand -base64 32)
+    print_green "CRONJOB_KEY not found or empty. Generating a random key..."
+    export CRONJOB_KEY
+  fi
+
+  if [ -z "$NEXTAUTH_SECRET" ]; then
+    NEXTAUTH_SECRET=$(openssl rand -base64 32)
+    print_green "NEXTAUTH_SECRET not found or empty. Generating a random key..."
+    export NEXTAUTH_SECRET
+  fi
+}
+
+check_env
+init_ssh_server
+check_ssh_directory
+create_authorized_keys_file
+check_repos_directory
+get_SSH_fingerprints
+
+print_green "Successful initialization. BorgWarehouse is ready !"
+exec supervisord -c /home/borgwarehouse/app/supervisord.conf 
\ No newline at end of file